d1_pkt.c revision 306230
1/* ssl/d1_pkt.c */ 2/* 3 * DTLS implementation written by Nagendra Modadugu 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 5 */ 6/* ==================================================================== 7 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * openssl-core@openssl.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 * 58 */ 59/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 60 * All rights reserved. 61 * 62 * This package is an SSL implementation written 63 * by Eric Young (eay@cryptsoft.com). 64 * The implementation was written so as to conform with Netscapes SSL. 65 * 66 * This library is free for commercial and non-commercial use as long as 67 * the following conditions are aheared to. The following conditions 68 * apply to all code found in this distribution, be it the RC4, RSA, 69 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 70 * included with this distribution is covered by the same copyright terms 71 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 72 * 73 * Copyright remains Eric Young's, and as such any Copyright notices in 74 * the code are not to be removed. 75 * If this package is used in a product, Eric Young should be given attribution 76 * as the author of the parts of the library used. 77 * This can be in the form of a textual message at program startup or 78 * in documentation (online or textual) provided with the package. 79 * 80 * Redistribution and use in source and binary forms, with or without 81 * modification, are permitted provided that the following conditions 82 * are met: 83 * 1. Redistributions of source code must retain the copyright 84 * notice, this list of conditions and the following disclaimer. 85 * 2. Redistributions in binary form must reproduce the above copyright 86 * notice, this list of conditions and the following disclaimer in the 87 * documentation and/or other materials provided with the distribution. 88 * 3. All advertising materials mentioning features or use of this software 89 * must display the following acknowledgement: 90 * "This product includes cryptographic software written by 91 * Eric Young (eay@cryptsoft.com)" 92 * The word 'cryptographic' can be left out if the rouines from the library 93 * being used are not cryptographic related :-). 94 * 4. If you include any Windows specific code (or a derivative thereof) from 95 * the apps directory (application code) you must include an acknowledgement: 96 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 97 * 98 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 99 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 100 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 101 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 102 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 103 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 104 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 105 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 106 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 107 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 108 * SUCH DAMAGE. 109 * 110 * The licence and distribution terms for any publically available version or 111 * derivative of this code cannot be changed. i.e. this code cannot simply be 112 * copied and put under another distribution licence 113 * [including the GNU Public Licence.] 114 */ 115 116#include <stdio.h> 117#include <errno.h> 118#define USE_SOCKETS 119#include "ssl_locl.h" 120#include <openssl/evp.h> 121#include <openssl/buffer.h> 122#include <openssl/pqueue.h> 123#include <openssl/rand.h> 124 125static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, 126 int len, int peek); 127static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap); 128static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); 129static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, 130 unsigned int *is_next_epoch); 131#if 0 132static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, 133 unsigned short *priority, 134 unsigned long *offset); 135#endif 136static int dtls1_buffer_record(SSL *s, record_pqueue *q, PQ_64BIT * priority); 137static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap); 138#if PQ_64BIT_IS_INTEGER 139static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT * num); 140#endif 141 142/* copy buffered record into SSL structure */ 143static int dtls1_copy_record(SSL *s, pitem *item) 144{ 145 DTLS1_RECORD_DATA *rdata; 146 147 rdata = (DTLS1_RECORD_DATA *)item->data; 148 149 if (s->s3->rbuf.buf != NULL) 150 OPENSSL_free(s->s3->rbuf.buf); 151 152 s->packet = rdata->packet; 153 s->packet_length = rdata->packet_length; 154 memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); 155 memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); 156 157 /* Set proper sequence number for mac calculation */ 158 memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6); 159 160 return (1); 161} 162 163static int 164dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT * priority) 165{ 166 DTLS1_RECORD_DATA *rdata; 167 pitem *item; 168 169 /* Limit the size of the queue to prevent DOS attacks */ 170 if (pqueue_size(queue->q) >= 100) 171 return 0; 172 173 rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); 174 item = pitem_new(*priority, rdata); 175 if (rdata == NULL || item == NULL) { 176 if (rdata != NULL) 177 OPENSSL_free(rdata); 178 if (item != NULL) 179 pitem_free(item); 180 181 SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); 182 return (0); 183 } 184 185 rdata->packet = s->packet; 186 rdata->packet_length = s->packet_length; 187 memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER)); 188 memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD)); 189 190 item->data = rdata; 191 192 /* insert should not fail, since duplicates are dropped */ 193 if (pqueue_insert(queue->q, item) == NULL) { 194 OPENSSL_free(rdata); 195 pitem_free(item); 196 return (0); 197 } 198 199 s->packet = NULL; 200 s->packet_length = 0; 201 memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); 202 memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD)); 203 204 if (!ssl3_setup_buffers(s)) { 205 SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); 206 OPENSSL_free(rdata); 207 pitem_free(item); 208 return (0); 209 } 210 211 return (1); 212} 213 214static int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) 215{ 216 pitem *item; 217 218 item = pqueue_pop(queue->q); 219 if (item) { 220 dtls1_copy_record(s, item); 221 222 OPENSSL_free(item->data); 223 pitem_free(item); 224 225 return (1); 226 } 227 228 return (0); 229} 230 231/* 232 * retrieve a buffered record that belongs to the new epoch, i.e., not 233 * processed yet 234 */ 235#define dtls1_get_unprocessed_record(s) \ 236 dtls1_retrieve_buffered_record((s), \ 237 &((s)->d1->unprocessed_rcds)) 238 239/* 240 * retrieve a buffered record that belongs to the current epoch, ie, 241 * processed 242 */ 243#define dtls1_get_processed_record(s) \ 244 dtls1_retrieve_buffered_record((s), \ 245 &((s)->d1->processed_rcds)) 246 247static int dtls1_process_buffered_records(SSL *s) 248{ 249 pitem *item; 250 SSL3_BUFFER *rb; 251 SSL3_RECORD *rr; 252 DTLS1_BITMAP *bitmap; 253 unsigned int is_next_epoch; 254 int replayok = 1; 255 256 item = pqueue_peek(s->d1->unprocessed_rcds.q); 257 if (item) { 258 /* Check if epoch is current. */ 259 if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) 260 return 1; /* Nothing to do. */ 261 262 rr = &s->s3->rrec; 263 rb = &s->s3->rbuf; 264 265 if (rb->left > 0) { 266 /* 267 * We've still got data from the current packet to read. There could 268 * be a record from the new epoch in it - so don't overwrite it 269 * with the unprocessed records yet (we'll do it when we've 270 * finished reading the current packet). 271 */ 272 return 1; 273 } 274 275 276 /* Process all the records. */ 277 while (pqueue_peek(s->d1->unprocessed_rcds.q)) { 278 dtls1_get_unprocessed_record(s); 279 bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); 280 if (bitmap == NULL) { 281 /* 282 * Should not happen. This will only ever be NULL when the 283 * current record is from a different epoch. But that cannot 284 * be the case because we already checked the epoch above 285 */ 286 SSLerr(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS, 287 ERR_R_INTERNAL_ERROR); 288 return 0; 289 } 290 { 291 /* 292 * Check whether this is a repeat, or aged record. We did this 293 * check once already when we first received the record - but 294 * we might have updated the window since then due to 295 * records we subsequently processed. 296 */ 297 replayok = dtls1_record_replay_check(s, bitmap); 298 } 299 300 if (!replayok || !dtls1_process_record(s, bitmap)) { 301 /* dump this record */ 302 rr->length = 0; 303 s->packet_length = 0; 304 continue; 305 } 306 307 if (dtls1_buffer_record(s, &(s->d1->processed_rcds), 308 &s->s3->rrec.seq_num) < 0) 309 return 0; 310 } 311 } 312 313 /* 314 * sync epoch numbers once all the unprocessed records have been 315 * processed 316 */ 317 s->d1->processed_rcds.epoch = s->d1->r_epoch; 318 s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1; 319 320 return 1; 321} 322 323#if 0 324 325static int dtls1_get_buffered_record(SSL *s) 326{ 327 pitem *item; 328 PQ_64BIT priority = 329 (((PQ_64BIT) s->d1->handshake_read_seq) << 32) | 330 ((PQ_64BIT) s->d1->r_msg_hdr.frag_off); 331 332 /* if we're not (re)negotiating, nothing buffered */ 333 if (!SSL_in_init(s)) 334 return 0; 335 336 item = pqueue_peek(s->d1->rcvd_records); 337 if (item && item->priority == priority) { 338 /* 339 * Check if we've received the record of interest. It must be a 340 * handshake record, since data records as passed up without 341 * buffering 342 */ 343 DTLS1_RECORD_DATA *rdata; 344 item = pqueue_pop(s->d1->rcvd_records); 345 rdata = (DTLS1_RECORD_DATA *)item->data; 346 347 if (s->s3->rbuf.buf != NULL) 348 OPENSSL_free(s->s3->rbuf.buf); 349 350 s->packet = rdata->packet; 351 s->packet_length = rdata->packet_length; 352 memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); 353 memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); 354 355 OPENSSL_free(item->data); 356 pitem_free(item); 357 358 /* s->d1->next_expected_seq_num++; */ 359 return (1); 360 } 361 362 return 0; 363} 364 365#endif 366 367static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) 368{ 369 int i, al; 370 int enc_err; 371 SSL_SESSION *sess; 372 SSL3_RECORD *rr; 373 unsigned int mac_size, orig_len; 374 unsigned char md[EVP_MAX_MD_SIZE]; 375 376 rr = &(s->s3->rrec); 377 sess = s->session; 378 379 /* 380 * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, 381 * and we have that many bytes in s->packet 382 */ 383 rr->input = &(s->packet[DTLS1_RT_HEADER_LENGTH]); 384 385 /* 386 * ok, we can now read from 's->packet' data into 'rr' rr->input points 387 * at rr->length bytes, which need to be copied into rr->data by either 388 * the decryption or by the decompression When the data is 'copied' into 389 * the rr->data buffer, rr->input will be pointed at the new buffer 390 */ 391 392 /* 393 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length 394 * bytes of encrypted compressed stuff. 395 */ 396 397 /* check is not needed I believe */ 398 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { 399 al = SSL_AD_RECORD_OVERFLOW; 400 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); 401 goto f_err; 402 } 403 404 /* decrypt in place in 'rr->input' */ 405 rr->data = rr->input; 406 407 enc_err = s->method->ssl3_enc->enc(s, 0); 408 /*- 409 * enc_err is: 410 * 0: (in non-constant time) if the record is publically invalid. 411 * 1: if the padding is valid 412 * -1: if the padding is invalid 413 */ 414 if (enc_err == 0) { 415 /* For DTLS we simply ignore bad packets. */ 416 rr->length = 0; 417 s->packet_length = 0; 418 goto err; 419 } 420#ifdef TLS_DEBUG 421 printf("dec %d\n", rr->length); 422 { 423 unsigned int z; 424 for (z = 0; z < rr->length; z++) 425 printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n'); 426 } 427 printf("\n"); 428#endif 429 430 /* r->length is now the compressed data plus mac */ 431 if ((sess != NULL) && (s->enc_read_ctx != NULL) && (s->read_hash != NULL)) { 432 /* s->read_hash != NULL => mac_size != -1 */ 433 unsigned char *mac = NULL; 434 unsigned char mac_tmp[EVP_MAX_MD_SIZE]; 435 mac_size = EVP_MD_size(s->read_hash); 436 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); 437 438 /* 439 * kludge: *_cbc_remove_padding passes padding length in rr->type 440 */ 441 orig_len = rr->length + ((unsigned int)rr->type >> 8); 442 443 /* 444 * orig_len is the length of the record before any padding was 445 * removed. This is public information, as is the MAC in use, 446 * therefore we can safely process the record in a different amount 447 * of time if it's too short to possibly contain a MAC. 448 */ 449 if (orig_len < mac_size || 450 /* CBC records must have a padding length byte too. */ 451 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && 452 orig_len < mac_size + 1)) { 453 al = SSL_AD_DECODE_ERROR; 454 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT); 455 goto f_err; 456 } 457 458 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { 459 /* 460 * We update the length so that the TLS header bytes can be 461 * constructed correctly but we need to extract the MAC in 462 * constant time from within the record, without leaking the 463 * contents of the padding bytes. 464 */ 465 mac = mac_tmp; 466 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); 467 rr->length -= mac_size; 468 } else { 469 /* 470 * In this case there's no padding, so |orig_len| equals 471 * |rec->length| and we checked that there's enough bytes for 472 * |mac_size| above. 473 */ 474 rr->length -= mac_size; 475 mac = &rr->data[rr->length]; 476 } 477 478 i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ ); 479 if (i < 0 || mac == NULL 480 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) 481 enc_err = -1; 482 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) 483 enc_err = -1; 484 } 485 486 if (enc_err < 0) { 487 /* decryption failed, silently discard message */ 488 rr->length = 0; 489 s->packet_length = 0; 490 goto err; 491 } 492 493 /* r->length is now just compressed */ 494 if (s->expand != NULL) { 495 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { 496 al = SSL_AD_RECORD_OVERFLOW; 497 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, 498 SSL_R_COMPRESSED_LENGTH_TOO_LONG); 499 goto f_err; 500 } 501 if (!ssl3_do_uncompress(s)) { 502 al = SSL_AD_DECOMPRESSION_FAILURE; 503 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION); 504 goto f_err; 505 } 506 } 507 508 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { 509 al = SSL_AD_RECORD_OVERFLOW; 510 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG); 511 goto f_err; 512 } 513 514 rr->off = 0; 515 /*- 516 * So at this point the following is true 517 * ssl->s3->rrec.type is the type of record 518 * ssl->s3->rrec.length == number of bytes in record 519 * ssl->s3->rrec.off == offset to first valid byte 520 * ssl->s3->rrec.data == where to take bytes from, increment 521 * after use :-). 522 */ 523 524 /* we have pulled in a full packet so zero things */ 525 s->packet_length = 0; 526 527 /* Mark receipt of record. */ 528 dtls1_record_bitmap_update(s, bitmap); 529 530 return (1); 531 532 f_err: 533 ssl3_send_alert(s, SSL3_AL_FATAL, al); 534 err: 535 return (0); 536} 537 538/*- 539 * Call this to get a new input record. 540 * It will return <= 0 if more data is needed, normally due to an error 541 * or non-blocking IO. 542 * When it finishes, one packet has been decoded and can be found in 543 * ssl->s3->rrec.type - is the type of record 544 * ssl->s3->rrec.data, - data 545 * ssl->s3->rrec.length, - number of bytes 546 */ 547/* used only by dtls1_read_bytes */ 548int dtls1_get_record(SSL *s) 549{ 550 int ssl_major, ssl_minor; 551 int i, n; 552 SSL3_RECORD *rr; 553 unsigned char *p = NULL; 554 unsigned short version; 555 DTLS1_BITMAP *bitmap; 556 unsigned int is_next_epoch; 557 558 rr = &(s->s3->rrec); 559 560 again: 561 /* 562 * The epoch may have changed. If so, process all the pending records. 563 * This is a non-blocking operation. 564 */ 565 dtls1_process_buffered_records(s); 566 567 /* if we're renegotiating, then there may be buffered records */ 568 if (dtls1_get_processed_record(s)) 569 return 1; 570 571 /* get something from the wire */ 572 /* check if we have the header */ 573 if ((s->rstate != SSL_ST_READ_BODY) || 574 (s->packet_length < DTLS1_RT_HEADER_LENGTH)) { 575 n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0); 576 /* read timeout is handled by dtls1_read_bytes */ 577 if (n <= 0) 578 return (n); /* error or non-blocking */ 579 580 /* this packet contained a partial record, dump it */ 581 if (s->packet_length != DTLS1_RT_HEADER_LENGTH) { 582 s->packet_length = 0; 583 goto again; 584 } 585 586 s->rstate = SSL_ST_READ_BODY; 587 588 p = s->packet; 589 590 /* Pull apart the header into the DTLS1_RECORD */ 591 rr->type = *(p++); 592 ssl_major = *(p++); 593 ssl_minor = *(p++); 594 version = (ssl_major << 8) | ssl_minor; 595 596 /* sequence number is 64 bits, with top 2 bytes = epoch */ 597 n2s(p, rr->epoch); 598 599 memcpy(&(s->s3->read_sequence[2]), p, 6); 600 p += 6; 601 602 n2s(p, rr->length); 603 604 /* Lets check version */ 605 if (!s->first_packet) { 606 if (version != s->version && version != DTLS1_BAD_VER) { 607 /* unexpected version, silently discard */ 608 rr->length = 0; 609 s->packet_length = 0; 610 goto again; 611 } 612 } 613 614 if ((version & 0xff00) != (DTLS1_VERSION & 0xff00) && 615 (version & 0xff00) != (DTLS1_BAD_VER & 0xff00)) { 616 /* wrong version, silently discard record */ 617 rr->length = 0; 618 s->packet_length = 0; 619 goto again; 620 } 621 622 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { 623 /* record too long, silently discard it */ 624 rr->length = 0; 625 s->packet_length = 0; 626 goto again; 627 } 628 629 s->client_version = version; 630 /* now s->rstate == SSL_ST_READ_BODY */ 631 } 632 633 /* s->rstate == SSL_ST_READ_BODY, get and decode the data */ 634 635 if (rr->length > s->packet_length - DTLS1_RT_HEADER_LENGTH) { 636 /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */ 637 i = rr->length; 638 n = ssl3_read_n(s, i, i, 1); 639 /* this packet contained a partial record, dump it */ 640 if (n != i) { 641 rr->length = 0; 642 s->packet_length = 0; 643 goto again; 644 } 645 646 /* 647 * now n == rr->length, and s->packet_length == 648 * DTLS1_RT_HEADER_LENGTH + rr->length 649 */ 650 } 651 s->rstate = SSL_ST_READ_HEADER; /* set state for later operations */ 652 653 /* match epochs. NULL means the packet is dropped on the floor */ 654 bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); 655 if (bitmap == NULL) { 656 rr->length = 0; 657 s->packet_length = 0; /* dump this record */ 658 goto again; /* get another record */ 659 } 660 661 /* 662 * Check whether this is a repeat, or aged record. Don't check if we're 663 * listening and this message is a ClientHello. They can look as if 664 * they're replayed, since they arrive from different connections and 665 * would be dropped unnecessarily. 666 */ 667 if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE && 668 s->packet_length > DTLS1_RT_HEADER_LENGTH && 669 s->packet[DTLS1_RT_HEADER_LENGTH] == SSL3_MT_CLIENT_HELLO) && 670 !dtls1_record_replay_check(s, bitmap)) { 671 rr->length = 0; 672 s->packet_length = 0; /* dump this record */ 673 goto again; /* get another record */ 674 } 675 676 /* just read a 0 length packet */ 677 if (rr->length == 0) 678 goto again; 679 680 /* 681 * If this record is from the next epoch (either HM or ALERT), and a 682 * handshake is currently in progress, buffer it since it cannot be 683 * processed at this time. However, do not buffer anything while 684 * listening. 685 */ 686 if (is_next_epoch) { 687 if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) { 688 if (dtls1_buffer_record 689 (s, &(s->d1->unprocessed_rcds), &rr->seq_num) < 0) 690 return -1; 691 } 692 rr->length = 0; 693 s->packet_length = 0; 694 goto again; 695 } 696 697 if (!dtls1_process_record(s, bitmap)) { 698 rr->length = 0; 699 s->packet_length = 0; /* dump this record */ 700 goto again; /* get another record */ 701 } 702 703 return (1); 704 705} 706 707/*- 708 * Return up to 'len' payload bytes received in 'type' records. 709 * 'type' is one of the following: 710 * 711 * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us) 712 * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us) 713 * - 0 (during a shutdown, no data has to be returned) 714 * 715 * If we don't have stored data to work from, read a SSL/TLS record first 716 * (possibly multiple records if we still don't have anything to return). 717 * 718 * This function must handle any surprises the peer may have for us, such as 719 * Alert records (e.g. close_notify), ChangeCipherSpec records (not really 720 * a surprise, but handled as if it were), or renegotiation requests. 721 * Also if record payloads contain fragments too small to process, we store 722 * them until there is enough for the respective protocol (the record protocol 723 * may use arbitrary fragmentation and even interleaving): 724 * Change cipher spec protocol 725 * just 1 byte needed, no need for keeping anything stored 726 * Alert protocol 727 * 2 bytes needed (AlertLevel, AlertDescription) 728 * Handshake protocol 729 * 4 bytes needed (HandshakeType, uint24 length) -- we just have 730 * to detect unexpected Client Hello and Hello Request messages 731 * here, anything else is handled by higher layers 732 * Application data protocol 733 * none of our business 734 */ 735int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) 736{ 737 int al, i, j, ret; 738 unsigned int n; 739 SSL3_RECORD *rr; 740 void (*cb) (const SSL *ssl, int type2, int val) = NULL; 741 742 if (s->s3->rbuf.buf == NULL) /* Not initialized yet */ 743 if (!ssl3_setup_buffers(s)) 744 return (-1); 745 746 /* XXX: check what the second '&& type' is about */ 747 if ((type && (type != SSL3_RT_APPLICATION_DATA) && 748 (type != SSL3_RT_HANDSHAKE) && type) || 749 (peek && (type != SSL3_RT_APPLICATION_DATA))) { 750 SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); 751 return -1; 752 } 753 754 /* 755 * check whether there's a handshake message (client hello?) waiting 756 */ 757 if ((ret = have_handshake_fragment(s, type, buf, len, peek))) 758 return ret; 759 760 /* 761 * Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. 762 */ 763 764 if (!s->in_handshake && SSL_in_init(s)) { 765 /* type == SSL3_RT_APPLICATION_DATA */ 766 i = s->handshake_func(s); 767 if (i < 0) 768 return (i); 769 if (i == 0) { 770 SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); 771 return (-1); 772 } 773 } 774 775 start: 776 s->rwstate = SSL_NOTHING; 777 778 /*- 779 * s->s3->rrec.type - is the type of record 780 * s->s3->rrec.data, - data 781 * s->s3->rrec.off, - offset into 'data' for next read 782 * s->s3->rrec.length, - number of bytes. 783 */ 784 rr = &(s->s3->rrec); 785 786 /* 787 * We are not handshaking and have no data yet, so process data buffered 788 * during the last handshake in advance, if any. 789 */ 790 if (s->state == SSL_ST_OK && rr->length == 0) { 791 pitem *item; 792 item = pqueue_pop(s->d1->buffered_app_data.q); 793 if (item) { 794 dtls1_copy_record(s, item); 795 796 OPENSSL_free(item->data); 797 pitem_free(item); 798 } 799 } 800 801 /* Check for timeout */ 802 if (dtls1_handle_timeout(s) > 0) 803 goto start; 804 805 /* get new packet if necessary */ 806 if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) { 807 ret = dtls1_get_record(s); 808 if (ret <= 0) { 809 ret = dtls1_read_failed(s, ret); 810 /* anything other than a timeout is an error */ 811 if (ret <= 0) 812 return (ret); 813 else 814 goto start; 815 } 816 } 817 818 if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE) { 819 rr->length = 0; 820 goto start; 821 } 822 823 /* we now have a packet which can be read and processed */ 824 825 if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, 826 * reset by ssl3_get_finished */ 827 && (rr->type != SSL3_RT_HANDSHAKE)) { 828 /* 829 * We now have application data between CCS and Finished. Most likely 830 * the packets were reordered on their way, so buffer the application 831 * data for later processing rather than dropping the connection. 832 */ 833 dtls1_buffer_record(s, &(s->d1->buffered_app_data), &rr->seq_num); 834 rr->length = 0; 835 goto start; 836 } 837 838 /* 839 * If the other end has shut down, throw anything we read away (even in 840 * 'peek' mode) 841 */ 842 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { 843 rr->length = 0; 844 s->rwstate = SSL_NOTHING; 845 return (0); 846 } 847 848 if (type == rr->type) { /* SSL3_RT_APPLICATION_DATA or 849 * SSL3_RT_HANDSHAKE */ 850 /* 851 * make sure that we are not getting application data when we are 852 * doing a handshake for the first time 853 */ 854 if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && 855 (s->enc_read_ctx == NULL)) { 856 al = SSL_AD_UNEXPECTED_MESSAGE; 857 SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_APP_DATA_IN_HANDSHAKE); 858 goto f_err; 859 } 860 861 if (len <= 0) 862 return (len); 863 864 if ((unsigned int)len > rr->length) 865 n = rr->length; 866 else 867 n = (unsigned int)len; 868 869 memcpy(buf, &(rr->data[rr->off]), n); 870 if (!peek) { 871 rr->length -= n; 872 rr->off += n; 873 if (rr->length == 0) { 874 s->rstate = SSL_ST_READ_HEADER; 875 rr->off = 0; 876 } 877 } 878 return (n); 879 } 880 881 /* 882 * If we get here, then type != rr->type; if we have a handshake message, 883 * then it was unexpected (Hello Request or Client Hello). 884 */ 885 886 /* 887 * In case of record types for which we have 'fragment' storage, fill 888 * that so that we can process the data at a fixed place. 889 */ 890 { 891 unsigned int k, dest_maxlen = 0; 892 unsigned char *dest = NULL; 893 unsigned int *dest_len = NULL; 894 895 if (rr->type == SSL3_RT_HANDSHAKE) { 896 dest_maxlen = sizeof s->d1->handshake_fragment; 897 dest = s->d1->handshake_fragment; 898 dest_len = &s->d1->handshake_fragment_len; 899 } else if (rr->type == SSL3_RT_ALERT) { 900 dest_maxlen = sizeof(s->d1->alert_fragment); 901 dest = s->d1->alert_fragment; 902 dest_len = &s->d1->alert_fragment_len; 903 } 904 /* else it's a CCS message, or application data or wrong */ 905 else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC) { 906 /* 907 * Application data while renegotiating is allowed. Try again 908 * reading. 909 */ 910 if (rr->type == SSL3_RT_APPLICATION_DATA) { 911 BIO *bio; 912 s->s3->in_read_app_data = 2; 913 bio = SSL_get_rbio(s); 914 s->rwstate = SSL_READING; 915 BIO_clear_retry_flags(bio); 916 BIO_set_retry_read(bio); 917 return (-1); 918 } 919 920 /* Not certain if this is the right error handling */ 921 al = SSL_AD_UNEXPECTED_MESSAGE; 922 SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD); 923 goto f_err; 924 } 925 926 if (dest_maxlen > 0) { 927 /* 928 * XDTLS: In a pathalogical case, the Client Hello may be 929 * fragmented--don't always expect dest_maxlen bytes 930 */ 931 if (rr->length < dest_maxlen) { 932#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE 933 /* 934 * for normal alerts rr->length is 2, while 935 * dest_maxlen is 7 if we were to handle this 936 * non-existing alert... 937 */ 938 FIX ME 939#endif 940 s->rstate = SSL_ST_READ_HEADER; 941 rr->length = 0; 942 goto start; 943 } 944 945 /* now move 'n' bytes: */ 946 for (k = 0; k < dest_maxlen; k++) { 947 dest[k] = rr->data[rr->off++]; 948 rr->length--; 949 } 950 *dest_len = dest_maxlen; 951 } 952 } 953 954 /*- 955 * s->d1->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE; 956 * s->d1->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT. 957 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) 958 */ 959 960 /* If we are a client, check for an incoming 'Hello Request': */ 961 if ((!s->server) && 962 (s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && 963 (s->d1->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) && 964 (s->session != NULL) && (s->session->cipher != NULL)) { 965 s->d1->handshake_fragment_len = 0; 966 967 if ((s->d1->handshake_fragment[1] != 0) || 968 (s->d1->handshake_fragment[2] != 0) || 969 (s->d1->handshake_fragment[3] != 0)) { 970 al = SSL_AD_DECODE_ERROR; 971 SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_BAD_HELLO_REQUEST); 972 goto err; 973 } 974 975 /* 976 * no need to check sequence number on HELLO REQUEST messages 977 */ 978 979 if (s->msg_callback) 980 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 981 s->d1->handshake_fragment, 4, s, 982 s->msg_callback_arg); 983 984 if (SSL_is_init_finished(s) && 985 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && 986 !s->s3->renegotiate) { 987 s->d1->handshake_read_seq++; 988 ssl3_renegotiate(s); 989 if (ssl3_renegotiate_check(s)) { 990 i = s->handshake_func(s); 991 if (i < 0) 992 return (i); 993 if (i == 0) { 994 SSLerr(SSL_F_DTLS1_READ_BYTES, 995 SSL_R_SSL_HANDSHAKE_FAILURE); 996 return (-1); 997 } 998 999 if (!(s->mode & SSL_MODE_AUTO_RETRY)) { 1000 if (s->s3->rbuf.left == 0) { /* no read-ahead left? */ 1001 BIO *bio; 1002 /* 1003 * In the case where we try to read application data, 1004 * but we trigger an SSL handshake, we return -1 with 1005 * the retry option set. Otherwise renegotiation may 1006 * cause nasty problems in the blocking world 1007 */ 1008 s->rwstate = SSL_READING; 1009 bio = SSL_get_rbio(s); 1010 BIO_clear_retry_flags(bio); 1011 BIO_set_retry_read(bio); 1012 return (-1); 1013 } 1014 } 1015 } 1016 } 1017 /* 1018 * we either finished a handshake or ignored the request, now try 1019 * again to obtain the (application) data we were asked for 1020 */ 1021 goto start; 1022 } 1023 1024 if (s->d1->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH) { 1025 int alert_level = s->d1->alert_fragment[0]; 1026 int alert_descr = s->d1->alert_fragment[1]; 1027 1028 s->d1->alert_fragment_len = 0; 1029 1030 if (s->msg_callback) 1031 s->msg_callback(0, s->version, SSL3_RT_ALERT, 1032 s->d1->alert_fragment, 2, s, s->msg_callback_arg); 1033 1034 if (s->info_callback != NULL) 1035 cb = s->info_callback; 1036 else if (s->ctx->info_callback != NULL) 1037 cb = s->ctx->info_callback; 1038 1039 if (cb != NULL) { 1040 j = (alert_level << 8) | alert_descr; 1041 cb(s, SSL_CB_READ_ALERT, j); 1042 } 1043 1044 if (alert_level == 1) { /* warning */ 1045 s->s3->warn_alert = alert_descr; 1046 if (alert_descr == SSL_AD_CLOSE_NOTIFY) { 1047 s->shutdown |= SSL_RECEIVED_SHUTDOWN; 1048 return (0); 1049 } 1050#if 0 1051 /* XXX: this is a possible improvement in the future */ 1052 /* now check if it's a missing record */ 1053 if (alert_descr == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) { 1054 unsigned short seq; 1055 unsigned int frag_off; 1056 unsigned char *p = &(s->d1->alert_fragment[2]); 1057 1058 n2s(p, seq); 1059 n2l3(p, frag_off); 1060 1061 dtls1_retransmit_message(s, 1062 dtls1_get_queue_priority 1063 (frag->msg_header.seq, 0), frag_off, 1064 &found); 1065 if (!found && SSL_in_init(s)) { 1066 /* 1067 * fprintf( stderr,"in init = %d\n", SSL_in_init(s)); 1068 */ 1069 /* 1070 * requested a message not yet sent, send an alert 1071 * ourselves 1072 */ 1073 ssl3_send_alert(s, SSL3_AL_WARNING, 1074 DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); 1075 } 1076 } 1077#endif 1078 } else if (alert_level == 2) { /* fatal */ 1079 char tmp[16]; 1080 1081 s->rwstate = SSL_NOTHING; 1082 s->s3->fatal_alert = alert_descr; 1083 SSLerr(SSL_F_DTLS1_READ_BYTES, 1084 SSL_AD_REASON_OFFSET + alert_descr); 1085 BIO_snprintf(tmp, sizeof tmp, "%d", alert_descr); 1086 ERR_add_error_data(2, "SSL alert number ", tmp); 1087 s->shutdown |= SSL_RECEIVED_SHUTDOWN; 1088 SSL_CTX_remove_session(s->ctx, s->session); 1089 return (0); 1090 } else { 1091 al = SSL_AD_ILLEGAL_PARAMETER; 1092 SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE); 1093 goto f_err; 1094 } 1095 1096 goto start; 1097 } 1098 1099 if (s->shutdown & SSL_SENT_SHUTDOWN) { /* but we have not received a 1100 * shutdown */ 1101 s->rwstate = SSL_NOTHING; 1102 rr->length = 0; 1103 return (0); 1104 } 1105 1106 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) { 1107 struct ccs_header_st ccs_hdr; 1108 unsigned int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH; 1109 1110 dtls1_get_ccs_header(rr->data, &ccs_hdr); 1111 1112 /* 1113 * 'Change Cipher Spec' is just a single byte, so we know exactly 1114 * what the record payload has to look like 1115 */ 1116 /* XDTLS: check that epoch is consistent */ 1117 if (s->client_version == DTLS1_BAD_VER || s->version == DTLS1_BAD_VER) 1118 ccs_hdr_len = 3; 1119 1120 if ((rr->length != ccs_hdr_len) || (rr->off != 0) 1121 || (rr->data[0] != SSL3_MT_CCS)) { 1122 i = SSL_AD_ILLEGAL_PARAMETER; 1123 SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_BAD_CHANGE_CIPHER_SPEC); 1124 goto err; 1125 } 1126 1127 rr->length = 0; 1128 1129 if (s->msg_callback) 1130 s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 1131 rr->data, 1, s, s->msg_callback_arg); 1132 1133 /* 1134 * We can't process a CCS now, because previous handshake messages 1135 * are still missing, so just drop it. 1136 */ 1137 if (!s->d1->change_cipher_spec_ok) { 1138 goto start; 1139 } 1140 1141 s->d1->change_cipher_spec_ok = 0; 1142 1143 s->s3->change_cipher_spec = 1; 1144 if (!ssl3_do_change_cipher_spec(s)) 1145 goto err; 1146 1147 /* do this whenever CCS is processed */ 1148 dtls1_reset_seq_numbers(s, SSL3_CC_READ); 1149 1150 if (s->client_version == DTLS1_BAD_VER) 1151 s->d1->handshake_read_seq++; 1152 1153 goto start; 1154 } 1155 1156 /* 1157 * Unexpected handshake message (Client Hello, or protocol violation) 1158 */ 1159 if ((s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && 1160 !s->in_handshake) { 1161 struct hm_header_st msg_hdr; 1162 1163 /* this may just be a stale retransmit */ 1164 dtls1_get_message_header(rr->data, &msg_hdr); 1165 if (rr->epoch != s->d1->r_epoch) { 1166 rr->length = 0; 1167 goto start; 1168 } 1169 1170 /* 1171 * If we are server, we may have a repeated FINISHED of the client 1172 * here, then retransmit our CCS and FINISHED. 1173 */ 1174 if (msg_hdr.type == SSL3_MT_FINISHED) { 1175 if (dtls1_check_timeout_num(s) < 0) 1176 return -1; 1177 1178 dtls1_retransmit_buffered_messages(s); 1179 rr->length = 0; 1180 goto start; 1181 } 1182 1183 if (((s->state & SSL_ST_MASK) == SSL_ST_OK) && 1184 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { 1185#if 0 /* worked only because C operator preferences 1186 * are not as expected (and because this is 1187 * not really needed for clients except for 1188 * detecting protocol violations): */ 1189 s->state = SSL_ST_BEFORE | (s->server) 1190 ? SSL_ST_ACCEPT : SSL_ST_CONNECT; 1191#else 1192 s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; 1193#endif 1194 s->new_session = 1; 1195 } 1196 i = s->handshake_func(s); 1197 if (i < 0) 1198 return (i); 1199 if (i == 0) { 1200 SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); 1201 return (-1); 1202 } 1203 1204 if (!(s->mode & SSL_MODE_AUTO_RETRY)) { 1205 if (s->s3->rbuf.left == 0) { /* no read-ahead left? */ 1206 BIO *bio; 1207 /* 1208 * In the case where we try to read application data, but we 1209 * trigger an SSL handshake, we return -1 with the retry 1210 * option set. Otherwise renegotiation may cause nasty 1211 * problems in the blocking world 1212 */ 1213 s->rwstate = SSL_READING; 1214 bio = SSL_get_rbio(s); 1215 BIO_clear_retry_flags(bio); 1216 BIO_set_retry_read(bio); 1217 return (-1); 1218 } 1219 } 1220 goto start; 1221 } 1222 1223 switch (rr->type) { 1224 default: 1225#ifndef OPENSSL_NO_TLS 1226 /* TLS just ignores unknown message types */ 1227 if (s->version == TLS1_VERSION) { 1228 rr->length = 0; 1229 goto start; 1230 } 1231#endif 1232 al = SSL_AD_UNEXPECTED_MESSAGE; 1233 SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD); 1234 goto f_err; 1235 case SSL3_RT_CHANGE_CIPHER_SPEC: 1236 case SSL3_RT_ALERT: 1237 case SSL3_RT_HANDSHAKE: 1238 /* 1239 * we already handled all of these, with the possible exception of 1240 * SSL3_RT_HANDSHAKE when s->in_handshake is set, but that should not 1241 * happen when type != rr->type 1242 */ 1243 al = SSL_AD_UNEXPECTED_MESSAGE; 1244 SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); 1245 goto f_err; 1246 case SSL3_RT_APPLICATION_DATA: 1247 /* 1248 * At this point, we were expecting handshake data, but have 1249 * application data. If the library was running inside ssl3_read() 1250 * (i.e. in_read_app_data is set) and it makes sense to read 1251 * application data at this point (session renegotiation not yet 1252 * started), we will indulge it. 1253 */ 1254 if (s->s3->in_read_app_data && 1255 (s->s3->total_renegotiations != 0) && 1256 (((s->state & SSL_ST_CONNECT) && 1257 (s->state >= SSL3_ST_CW_CLNT_HELLO_A) && 1258 (s->state <= SSL3_ST_CR_SRVR_HELLO_A) 1259 ) || ((s->state & SSL_ST_ACCEPT) && 1260 (s->state <= SSL3_ST_SW_HELLO_REQ_A) && 1261 (s->state >= SSL3_ST_SR_CLNT_HELLO_A) 1262 ) 1263 )) { 1264 s->s3->in_read_app_data = 2; 1265 return (-1); 1266 } else { 1267 al = SSL_AD_UNEXPECTED_MESSAGE; 1268 SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD); 1269 goto f_err; 1270 } 1271 } 1272 /* not reached */ 1273 1274 f_err: 1275 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1276 err: 1277 return (-1); 1278} 1279 1280int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) 1281{ 1282 int i; 1283 1284 if (SSL_in_init(s) && !s->in_handshake) { 1285 i = s->handshake_func(s); 1286 if (i < 0) 1287 return (i); 1288 if (i == 0) { 1289 SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES, 1290 SSL_R_SSL_HANDSHAKE_FAILURE); 1291 return -1; 1292 } 1293 } 1294 1295 if (len > SSL3_RT_MAX_PLAIN_LENGTH) { 1296 SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES, SSL_R_DTLS_MESSAGE_TOO_BIG); 1297 return -1; 1298 } 1299 1300 i = dtls1_write_bytes(s, type, buf_, len); 1301 return i; 1302} 1303 1304 /* 1305 * this only happens when a client hello is received and a handshake 1306 * is started. 1307 */ 1308static int 1309have_handshake_fragment(SSL *s, int type, unsigned char *buf, 1310 int len, int peek) 1311{ 1312 1313 if ((type == SSL3_RT_HANDSHAKE) && (s->d1->handshake_fragment_len > 0)) 1314 /* (partially) satisfy request from storage */ 1315 { 1316 unsigned char *src = s->d1->handshake_fragment; 1317 unsigned char *dst = buf; 1318 unsigned int k, n; 1319 1320 /* peek == 0 */ 1321 n = 0; 1322 while ((len > 0) && (s->d1->handshake_fragment_len > 0)) { 1323 *dst++ = *src++; 1324 len--; 1325 s->d1->handshake_fragment_len--; 1326 n++; 1327 } 1328 /* move any remaining fragment bytes: */ 1329 for (k = 0; k < s->d1->handshake_fragment_len; k++) 1330 s->d1->handshake_fragment[k] = *src++; 1331 return n; 1332 } 1333 1334 return 0; 1335} 1336 1337/* 1338 * Call this to write data in records of type 'type' It will return <= 0 if 1339 * not all data has been sent or non-blocking IO. 1340 */ 1341int dtls1_write_bytes(SSL *s, int type, const void *buf, int len) 1342{ 1343 int i; 1344 1345 OPENSSL_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH); 1346 s->rwstate = SSL_NOTHING; 1347 i = do_dtls1_write(s, type, buf, len, 0); 1348 return i; 1349} 1350 1351int do_dtls1_write(SSL *s, int type, const unsigned char *buf, 1352 unsigned int len, int create_empty_fragment) 1353{ 1354 unsigned char *p, *pseq; 1355 int i, mac_size, clear = 0; 1356 int prefix_len = 0; 1357 SSL3_RECORD *wr; 1358 SSL3_BUFFER *wb; 1359 SSL_SESSION *sess; 1360 int bs; 1361 1362 /* 1363 * first check if there is a SSL3_BUFFER still being written out. This 1364 * will happen with non blocking IO 1365 */ 1366 if (s->s3->wbuf.left != 0) { 1367 OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */ 1368 return (ssl3_write_pending(s, type, buf, len)); 1369 } 1370 1371 /* If we have an alert to send, lets send it */ 1372 if (s->s3->alert_dispatch) { 1373 i = s->method->ssl_dispatch_alert(s); 1374 if (i <= 0) 1375 return (i); 1376 /* if it went, fall through and send more stuff */ 1377 } 1378 1379 if (len == 0 && !create_empty_fragment) 1380 return 0; 1381 1382 wr = &(s->s3->wrec); 1383 wb = &(s->s3->wbuf); 1384 sess = s->session; 1385 1386 if ((sess == NULL) || 1387 (s->enc_write_ctx == NULL) || (s->write_hash == NULL)) 1388 clear = 1; 1389 1390 if (clear) 1391 mac_size = 0; 1392 else 1393 mac_size = EVP_MD_size(s->write_hash); 1394 1395 /* DTLS implements explicit IV, so no need for empty fragments */ 1396#if 0 1397 /* 1398 * 'create_empty_fragment' is true only when this function calls itself 1399 */ 1400 if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done 1401 && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER) 1402 { 1403 /* 1404 * countermeasure against known-IV weakness in CBC ciphersuites (see 1405 * http://www.openssl.org/~bodo/tls-cbc.txt) 1406 */ 1407 1408 if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA) { 1409 /* 1410 * recursive function call with 'create_empty_fragment' set; this 1411 * prepares and buffers the data for an empty fragment (these 1412 * 'prefix_len' bytes are sent out later together with the actual 1413 * payload) 1414 */ 1415 prefix_len = s->method->do_ssl_write(s, type, buf, 0, 1); 1416 if (prefix_len <= 0) 1417 goto err; 1418 1419 if (s->s3->wbuf.len < 1420 (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE) { 1421 /* insufficient space */ 1422 SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERROR); 1423 goto err; 1424 } 1425 } 1426 1427 s->s3->empty_fragment_done = 1; 1428 } 1429#endif 1430 1431 p = wb->buf + prefix_len; 1432 1433 /* write the header */ 1434 1435 *(p++) = type & 0xff; 1436 wr->type = type; 1437 1438 if (s->client_version == DTLS1_BAD_VER) 1439 *(p++) = DTLS1_BAD_VER >> 8, *(p++) = DTLS1_BAD_VER & 0xff; 1440 else 1441 *(p++) = (s->version >> 8), *(p++) = s->version & 0xff; 1442 1443 /* field where we are to write out packet epoch, seq num and len */ 1444 pseq = p; 1445 p += 10; 1446 1447 /* lets setup the record stuff. */ 1448 1449 /* 1450 * Make space for the explicit IV in case of CBC. (this is a bit of a 1451 * boundary violation, but what the heck). 1452 */ 1453 if (s->enc_write_ctx && 1454 (EVP_CIPHER_mode(s->enc_write_ctx->cipher) & EVP_CIPH_CBC_MODE)) 1455 bs = EVP_CIPHER_block_size(s->enc_write_ctx->cipher); 1456 else 1457 bs = 0; 1458 1459 wr->data = p + bs; /* make room for IV in case of CBC */ 1460 wr->length = (int)len; 1461 wr->input = (unsigned char *)buf; 1462 1463 /* 1464 * we now 'read' from wr->input, wr->length bytes into wr->data 1465 */ 1466 1467 /* first we compress */ 1468 if (s->compress != NULL) { 1469 if (!ssl3_do_compress(s)) { 1470 SSLerr(SSL_F_DO_DTLS1_WRITE, SSL_R_COMPRESSION_FAILURE); 1471 goto err; 1472 } 1473 } else { 1474 memcpy(wr->data, wr->input, wr->length); 1475 wr->input = wr->data; 1476 } 1477 1478 /* 1479 * we should still have the output to wr->data and the input from 1480 * wr->input. Length should be wr->length. wr->data still points in the 1481 * wb->buf 1482 */ 1483 1484 if (mac_size != 0) { 1485 s->method->ssl3_enc->mac(s, &(p[wr->length + bs]), 1); 1486 wr->length += mac_size; 1487 } 1488 1489 /* this is true regardless of mac size */ 1490 wr->input = p; 1491 wr->data = p; 1492 1493 /* ssl3_enc can only have an error on read */ 1494 if (bs) { /* bs != 0 in case of CBC */ 1495 RAND_pseudo_bytes(p, bs); 1496 /* 1497 * master IV and last CBC residue stand for the rest of randomness 1498 */ 1499 wr->length += bs; 1500 } 1501 1502 s->method->ssl3_enc->enc(s, 1); 1503 1504 /* record length after mac and block padding */ 1505 /* 1506 * if (type == SSL3_RT_APPLICATION_DATA || (type == SSL3_RT_ALERT && ! 1507 * SSL_in_init(s))) 1508 */ 1509 1510 /* there's only one epoch between handshake and app data */ 1511 1512 s2n(s->d1->w_epoch, pseq); 1513 1514 /* XDTLS: ?? */ 1515 /* 1516 * else s2n(s->d1->handshake_epoch, pseq); 1517 */ 1518 1519 memcpy(pseq, &(s->s3->write_sequence[2]), 6); 1520 pseq += 6; 1521 s2n(wr->length, pseq); 1522 1523 /* 1524 * we should now have wr->data pointing to the encrypted data, which is 1525 * wr->length long 1526 */ 1527 wr->type = type; /* not needed but helps for debugging */ 1528 wr->length += DTLS1_RT_HEADER_LENGTH; 1529 1530#if 0 /* this is now done at the message layer */ 1531 /* buffer the record, making it easy to handle retransmits */ 1532 if (type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC) 1533 dtls1_buffer_record(s, wr->data, wr->length, 1534 *((PQ_64BIT *) & (s->s3->write_sequence[0]))); 1535#endif 1536 1537 ssl3_record_sequence_update(&(s->s3->write_sequence[0])); 1538 1539 if (create_empty_fragment) { 1540 /* 1541 * we are in a recursive call; just return the length, don't write 1542 * out anything here 1543 */ 1544 return wr->length; 1545 } 1546 1547 /* now let's set up wb */ 1548 wb->left = prefix_len + wr->length; 1549 wb->offset = 0; 1550 1551 /* 1552 * memorize arguments so that ssl3_write_pending can detect bad write 1553 * retries later 1554 */ 1555 s->s3->wpend_tot = len; 1556 s->s3->wpend_buf = buf; 1557 s->s3->wpend_type = type; 1558 s->s3->wpend_ret = len; 1559 1560 /* we now just need to write the buffer */ 1561 return ssl3_write_pending(s, type, buf, len); 1562 err: 1563 return -1; 1564} 1565 1566static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap) 1567{ 1568#if PQ_64BIT_IS_INTEGER 1569 PQ_64BIT mask = 0x0000000000000001L; 1570#endif 1571 PQ_64BIT rcd_num, tmp; 1572 1573 pq_64bit_init(&rcd_num); 1574 pq_64bit_init(&tmp); 1575 1576 /* this is the sequence number for the record just read */ 1577 pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8); 1578 1579 if (pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) || 1580 pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num))) { 1581 pq_64bit_assign(&s->s3->rrec.seq_num, &rcd_num); 1582 pq_64bit_free(&rcd_num); 1583 pq_64bit_free(&tmp); 1584 return 1; /* this record is new */ 1585 } 1586 1587 pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num); 1588 1589 if (pq_64bit_get_word(&tmp) > bitmap->length) { 1590 pq_64bit_free(&rcd_num); 1591 pq_64bit_free(&tmp); 1592 return 0; /* stale, outside the window */ 1593 } 1594#if PQ_64BIT_IS_BIGNUM 1595 { 1596 int offset; 1597 pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num); 1598 pq_64bit_sub_word(&tmp, 1); 1599 offset = pq_64bit_get_word(&tmp); 1600 if (pq_64bit_is_bit_set(&(bitmap->map), offset)) { 1601 pq_64bit_free(&rcd_num); 1602 pq_64bit_free(&tmp); 1603 return 0; 1604 } 1605 } 1606#else 1607 mask <<= (bitmap->max_seq_num - rcd_num - 1); 1608 if (bitmap->map & mask) 1609 return 0; /* record previously received */ 1610#endif 1611 1612 pq_64bit_assign(&s->s3->rrec.seq_num, &rcd_num); 1613 pq_64bit_free(&rcd_num); 1614 pq_64bit_free(&tmp); 1615 return 1; 1616} 1617 1618static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) 1619{ 1620 unsigned int shift; 1621 PQ_64BIT rcd_num; 1622 PQ_64BIT tmp; 1623 PQ_64BIT_CTX *ctx; 1624 1625 pq_64bit_init(&rcd_num); 1626 pq_64bit_init(&tmp); 1627 1628 pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8); 1629 1630 /* 1631 * unfortunate code complexity due to 64-bit manipulation support on 1632 * 32-bit machines 1633 */ 1634 if (pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) || 1635 pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num))) { 1636 pq_64bit_sub(&tmp, &rcd_num, &(bitmap->max_seq_num)); 1637 pq_64bit_add_word(&tmp, 1); 1638 1639 shift = (unsigned int)pq_64bit_get_word(&tmp); 1640 1641 pq_64bit_lshift(&(tmp), &(bitmap->map), shift); 1642 pq_64bit_assign(&(bitmap->map), &tmp); 1643 1644 pq_64bit_set_bit(&(bitmap->map), 0); 1645 pq_64bit_add_word(&rcd_num, 1); 1646 pq_64bit_assign(&(bitmap->max_seq_num), &rcd_num); 1647 1648 pq_64bit_assign_word(&tmp, 1); 1649 pq_64bit_lshift(&tmp, &tmp, bitmap->length); 1650 ctx = pq_64bit_ctx_new(&ctx); 1651 pq_64bit_mod(&(bitmap->map), &(bitmap->map), &tmp, ctx); 1652 pq_64bit_ctx_free(ctx); 1653 } else { 1654 pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num); 1655 pq_64bit_sub_word(&tmp, 1); 1656 shift = (unsigned int)pq_64bit_get_word(&tmp); 1657 1658 pq_64bit_set_bit(&(bitmap->map), shift); 1659 } 1660 1661 pq_64bit_free(&rcd_num); 1662 pq_64bit_free(&tmp); 1663} 1664 1665int dtls1_dispatch_alert(SSL *s) 1666{ 1667 int i, j; 1668 void (*cb) (const SSL *ssl, int type, int val) = NULL; 1669 unsigned char buf[DTLS1_AL_HEADER_LENGTH]; 1670 unsigned char *ptr = &buf[0]; 1671 1672 s->s3->alert_dispatch = 0; 1673 1674 memset(buf, 0x00, sizeof(buf)); 1675 *ptr++ = s->s3->send_alert[0]; 1676 *ptr++ = s->s3->send_alert[1]; 1677 1678#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE 1679 if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) { 1680 s2n(s->d1->handshake_read_seq, ptr); 1681# if 0 1682 if (s->d1->r_msg_hdr.frag_off == 0) 1683 /* 1684 * waiting for a new msg 1685 */ 1686 else 1687 s2n(s->d1->r_msg_hdr.seq, ptr); /* partial msg read */ 1688# endif 1689 1690# if 0 1691 fprintf(stderr, 1692 "s->d1->handshake_read_seq = %d, s->d1->r_msg_hdr.seq = %d\n", 1693 s->d1->handshake_read_seq, s->d1->r_msg_hdr.seq); 1694# endif 1695 l2n3(s->d1->r_msg_hdr.frag_off, ptr); 1696 } 1697#endif 1698 1699 i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0); 1700 if (i <= 0) { 1701 s->s3->alert_dispatch = 1; 1702 /* fprintf( stderr, "not done with alert\n" ); */ 1703 } else { 1704 if (s->s3->send_alert[0] == SSL3_AL_FATAL 1705#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE 1706 || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE 1707#endif 1708 ) 1709 (void)BIO_flush(s->wbio); 1710 1711 if (s->msg_callback) 1712 s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 1713 2, s, s->msg_callback_arg); 1714 1715 if (s->info_callback != NULL) 1716 cb = s->info_callback; 1717 else if (s->ctx->info_callback != NULL) 1718 cb = s->ctx->info_callback; 1719 1720 if (cb != NULL) { 1721 j = (s->s3->send_alert[0] << 8) | s->s3->send_alert[1]; 1722 cb(s, SSL_CB_WRITE_ALERT, j); 1723 } 1724 } 1725 return (i); 1726} 1727 1728static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, 1729 unsigned int *is_next_epoch) 1730{ 1731 1732 *is_next_epoch = 0; 1733 1734 /* In current epoch, accept HM, CCS, DATA, & ALERT */ 1735 if (rr->epoch == s->d1->r_epoch) 1736 return &s->d1->bitmap; 1737 1738 /* 1739 * Only HM and ALERT messages can be from the next epoch and only if we 1740 * have already processed all of the unprocessed records from the last 1741 * epoch 1742 */ 1743 else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) && 1744 s->d1->unprocessed_rcds.epoch != s->d1->r_epoch && 1745 (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) { 1746 *is_next_epoch = 1; 1747 return &s->d1->next_bitmap; 1748 } 1749 1750 return NULL; 1751} 1752 1753#if 0 1754static int 1755dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, 1756 unsigned short *priority, unsigned long *offset) 1757{ 1758 1759 /* alerts are passed up immediately */ 1760 if (rr->type == SSL3_RT_APPLICATION_DATA || rr->type == SSL3_RT_ALERT) 1761 return 0; 1762 1763 /* 1764 * Only need to buffer if a handshake is underway. (this implies that 1765 * Hello Request and Client Hello are passed up immediately) 1766 */ 1767 if (SSL_in_init(s)) { 1768 unsigned char *data = rr->data; 1769 /* need to extract the HM/CCS sequence number here */ 1770 if (rr->type == SSL3_RT_HANDSHAKE || 1771 rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) { 1772 unsigned short seq_num; 1773 struct hm_header_st msg_hdr; 1774 struct ccs_header_st ccs_hdr; 1775 1776 if (rr->type == SSL3_RT_HANDSHAKE) { 1777 dtls1_get_message_header(data, &msg_hdr); 1778 seq_num = msg_hdr.seq; 1779 *offset = msg_hdr.frag_off; 1780 } else { 1781 dtls1_get_ccs_header(data, &ccs_hdr); 1782 seq_num = ccs_hdr.seq; 1783 *offset = 0; 1784 } 1785 1786 /* 1787 * this is either a record we're waiting for, or a retransmit of 1788 * something we happened to previously receive (higher layers 1789 * will drop the repeat silently 1790 */ 1791 if (seq_num < s->d1->handshake_read_seq) 1792 return 0; 1793 if (rr->type == SSL3_RT_HANDSHAKE && 1794 seq_num == s->d1->handshake_read_seq && 1795 msg_hdr.frag_off < s->d1->r_msg_hdr.frag_off) 1796 return 0; 1797 else if (seq_num == s->d1->handshake_read_seq && 1798 (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC || 1799 msg_hdr.frag_off == s->d1->r_msg_hdr.frag_off)) 1800 return 0; 1801 else { 1802 *priority = seq_num; 1803 return 1; 1804 } 1805 } else /* unknown record type */ 1806 return 0; 1807 } 1808 1809 return 0; 1810} 1811#endif 1812 1813void dtls1_reset_seq_numbers(SSL *s, int rw) 1814{ 1815 unsigned char *seq; 1816 unsigned int seq_bytes = sizeof(s->s3->read_sequence); 1817 1818 if (rw & SSL3_CC_READ) { 1819 seq = s->s3->read_sequence; 1820 s->d1->r_epoch++; 1821 1822 pq_64bit_assign(&(s->d1->bitmap.map), &(s->d1->next_bitmap.map)); 1823 s->d1->bitmap.length = s->d1->next_bitmap.length; 1824 pq_64bit_assign(&(s->d1->bitmap.max_seq_num), 1825 &(s->d1->next_bitmap.max_seq_num)); 1826 1827 pq_64bit_free(&(s->d1->next_bitmap.map)); 1828 pq_64bit_free(&(s->d1->next_bitmap.max_seq_num)); 1829 memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP)); 1830 pq_64bit_init(&(s->d1->next_bitmap.map)); 1831 pq_64bit_init(&(s->d1->next_bitmap.max_seq_num)); 1832 1833 /* 1834 * We must not use any buffered messages received from the previous 1835 * epoch 1836 */ 1837 dtls1_clear_received_buffer(s); 1838 } else { 1839 seq = s->s3->write_sequence; 1840 memcpy(s->d1->last_write_sequence, seq, 1841 sizeof(s->s3->write_sequence)); 1842 s->d1->w_epoch++; 1843 } 1844 1845 memset(seq, 0x00, seq_bytes); 1846} 1847 1848#if PQ_64BIT_IS_INTEGER 1849static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT * num) 1850{ 1851 PQ_64BIT _num; 1852 1853 _num = (((PQ_64BIT) bytes[0]) << 56) | 1854 (((PQ_64BIT) bytes[1]) << 48) | 1855 (((PQ_64BIT) bytes[2]) << 40) | 1856 (((PQ_64BIT) bytes[3]) << 32) | 1857 (((PQ_64BIT) bytes[4]) << 24) | 1858 (((PQ_64BIT) bytes[5]) << 16) | 1859 (((PQ_64BIT) bytes[6]) << 8) | (((PQ_64BIT) bytes[7])); 1860 1861 *num = _num; 1862 return _num; 1863} 1864#endif 1865